VIRUS-L Digest Thursday, 15 Dec 1988 Volume 1 : Issue 48 Today's Topics: Report of Brain unclear Details on Brain virus at Yale (PC) generic undigestifier --------------------------------------------------------------------------- Date: Thu, 15 Dec 88 09:13:26 EST From: Joe Simpson Subject: Report of Brain unclear The origional Pakastani Brain has several properties. 1. The infection vector is a trap in the boot block. Brain only activates when an infected diskette is booted. 2. The origonal Brain only infects 5.25 inch floppies. It has specific checks that permit it to aviod 3.5 inch floppies and hard disks. A recent report suggested that Brain came as a no charge extra with a commercial word processor. Unless the victim tried to boot a diskette from the vendor the origional brain could not have infected the victims diskettes. If there is a "Brain injector" out there I would like to have that verified. It would change the rules of the game. If there is a version of Brain that infects hard disks I would like to have that verified as well. In a similar vein, there has been an incredible report of V.22 bis modems serving as a carrier for a hostile agent program. Since a V.22 bis modem is a computer it would be helpful for someone with a clear understanding of V.22 bis and the common implementations to comment on the likelihood of risk from this quarter. [Ed. I would think that a good "moral to the story" is that one should not jump to conclusions; that only perpetuates rumors. It would be premature to place too much faith in either report until they can be verified, or at least until a further description, which is accurate in technical details, is offered.] ------------------------------ Date: Thu, 15 Dec 88 10:29:41 EST From: Naama Zahavi-Ely Subject: Details on Brain virus at Yale (PC) Two days ago we discovered at Yale several diskettes infected with the Brain virus. The version we have contains in its boot sector the following text: Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thank GOODNESS!! BEWARE OF THE er VIRUS : \this program is catching program follows after these messeges The infected diskettes also had their volume name set to (c) Brain. This variant of Brain seems to create a hidden file on the diskette, with 0 bytes, and each of the infected diskettes has 3072 bytes in bad sectors. For all we know, the user may have had infected diskettes for a very long time -- we discovered the infection while trying to solve an unrelated WordPerfect problem. Luckily all our public diskettess are write-protected. Now the questions: can this virus infect hard disks under any circumstances? How do systems (RAM) become infected -- at start-up only, or otherwise? How do other disks become infected: when formatted, written to, soft-booted? What is the most trouble-free way of getting rid of it? I suggested formatting a new diskette on a clean system, copying the files over, then re-formatting the infected diskette -- would that work? Are there any dangers involved with this virus, other than the 3 bad sectors mentioned above? I have seen recommendations of DEBRAIN, but I am afraid it might give people a false sense of security against viruses in general, so if the reformatting method mentioned above would work, I would rather use it - -- but I would welcome any opinions to the contrary. Please send to me or to the list any helpful hints you can think of -- any information would be appreciated! Thanks, Naama + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + | Naama Zahavi-Ely | | Project ELI E-MAIL ELINZE@YALEVM.BITNET | | Yale Computer Center | | 175 Whitney Ave | | New Haven, CT 06520 | | (203) 432-6600 ext. 341 | + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + ------------------------------ Date: Thu, 15 Dec 1988 16:26:34 EST From: Ken van Wyk Subject: generic undigestifier Thanks to Jeff Ogata for sending in a generic undigestifier written in C. It appears to be very standard C and compiled as-is on our Sun. It should compile with most C compilers including WATERLOO C on IBM VM/370 machines. The program does the following: 1) read in (via stdin) a file containing a VIRUS-L digest. 2) output individual files (digest.1, digest.2, ...), each containing one message. 3) output a file (digest.contents) containing the table of contents for that message. It can also extract a specific message number from a digest. I'll make this program available from our LISTSERV in the near future. A couple other people have also volunteered to send in undigestifying programs, and there is apparently one available for anonymous FTP from SIMTEL-20.ARMY.MIL in the PD1: directory. Thanks to everyone who sent me info, etc.! One person who offered to put together a small program asked what kind of functionality would be best. That made me realize that I should've specified something from the beginning... I don't want to sound ungrateful to Jeff and the others who've helped; we already have a lot more now than what we started with! But, let me point out what I'd consider to be an ideal undigestifier for the average digest reader (any digest, not just VIRUS-L). An ideal undigestifier would read in table of contents of a digest and display it on the screen. Then, it would allow the user to point at one or more individual messages and view, extract, print, or perhaps even invoke a text editor to generate a reply file suitable for merging into the local mail system. Thanks again to Jeff and the others! I hope this doesn't sound as though your efforts aren't appreciated. Any comments or suggestions? Ken ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253